yiguolei commented on code in PR #49884:
URL: https://github.com/apache/doris/pull/49884#discussion_r2035050769
##########
fe/fe-core/src/main/java/org/apache/doris/resource/workloadgroup/WorkloadGroupMgr.java:
##########
@@ -200,82 +203,78 @@ private void writeUnlock() {
lock.writeLock().unlock();
}
- public List<TPipelineWorkloadGroup> getWorkloadGroup(ConnectContext
context) throws UserException {
- String groupName = getWorkloadGroupNameAndCheckPriv(context);
+ private WorkloadGroup getWorkloadGroupByComputeGroupUnlock(Pair<String,
String> key)
+ throws DdlException {
+ WorkloadGroup wg = nameToWorkloadGroup.get(key);
+ if (wg == null) {
+ throw new DdlException("can not find workload group " + key.second
+ " in " + key.first + ".");
+ }
+ return wg;
+ }
+
+ public List<TPipelineWorkloadGroup> getWorkloadGroupByName(UserIdentity
userIdentity, String wgFullName)
+ throws DdlException {
+ String[] wgNameArr = wgFullName.split("\\.");
+ String cgName = Tag.DEFAULT_BACKEND_TAG.value;
+ String wgName = DEFAULT_GROUP_NAME;
+ if (wgNameArr.length == 1) {
+ wgName = wgNameArr[0];
+ } else if (wgNameArr.length == 2) {
+ cgName = wgNameArr[0];
+ wgName = wgNameArr[1];
+ } else {
+ throw new DdlException("invalid workload group name: " +
wgFullName);
+ }
+
List<TPipelineWorkloadGroup> workloadGroups = Lists.newArrayList();
readLock();
try {
- WorkloadGroup workloadGroup = nameToWorkloadGroup.get(groupName);
- if (workloadGroup == null) {
- throw new UserException("Workload group " + groupName + " does
not exist");
+ WorkloadGroup wg =
getWorkloadGroupByComputeGroupUnlock(Pair.of(cgName, wgName));
+ if (userIdentity != null) {
+ if (!Env.getCurrentEnv().getAccessManager()
+ .checkWorkloadGroupPriv(userIdentity, wgName,
PrivPredicate.USAGE)) {
+ ErrorReport.reportDdlException(
+ "Access denied; you need (at least one of) the %s
privilege(s) to use workload group '%s'.",
+ ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
"USAGE/ADMIN", wgName);
+ }
}
- workloadGroups.add(workloadGroup.toThrift());
- context.setWorkloadGroupName(groupName);
+ workloadGroups.add(wg.toThrift());
} finally {
readUnlock();
}
return workloadGroups;
}
- public long getWorkloadGroup(UserIdentity currentUser, String groupName)
throws UserException {
- Long workloadId = getWorkloadGroupIdByName(groupName);
- if (workloadId == null) {
- throw new UserException("Workload group " + groupName + " does not
exist");
- }
- if (!Env.getCurrentEnv().getAccessManager()
- .checkWorkloadGroupPriv(currentUser, groupName,
PrivPredicate.USAGE)) {
- ErrorReport.reportAnalysisException(
- "Access denied; you need (at least one of) the %s
privilege(s) to use workload group '%s'.",
- ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "USAGE/ADMIN",
groupName);
- }
- return workloadId.longValue();
- }
+ public List<TPipelineWorkloadGroup> getWorkloadGroup(ConnectContext
context) throws UserException {
+ String wgName = getWorkloadGroupNameAndCheckPriv(context);
Review Comment:
我们现在这种check 方式,解决不了这个场景:
CGA 里有wg1,wg2
CGB 里有wg1,wg2
我想让一个用户只有CGA.WG1的权限,有CGB.WG2的权限,但是没有CGB的WG1的权限。
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org
